Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL4@MBR Rootkit.... Google redirect.. Pop Ups.. Super infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 jleebee

jleebee

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 09 May 2011 - 10:19 PM

hi there technological thinking humans, i appreciate your existence.

i have a super infection.. i have tried everything within my power to fix it... in addition to the above windows will not update... and my land line does not work, although i am guessing it is not the same problem.

i have followed the tutorial to the best of my ability, i apologize in advance for anything i do improperly. thank you again.





-------------------------------------------------------------------------------

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by New User at 22:27:02.23 on Mon 05/09/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_25
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nlssrv32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\IObit\IObit Security 360\is360.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\New User\Desktop\Defogger.exe
C:\Documents and Settings\New User\Desktop\dds.scr
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyServer = http=localhost:3574
uInternet Settings,ProxyOverride = cgi*.ebay.com;disney.go.com;msa_e1.ebay.com;rhapsody_app*.listen.com;<local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2011\ievkbd.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
BHO: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Yahoo! Pager] 1
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2011\avp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: &Viewpoint Search - c:\program files\viewpoint\viewpoint toolbar v35\ViewBar.dll/CXTSEARCH.HTML
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2011\ie_banner_deny.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Yahoo! Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6}
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2011\klwtbbho.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinst.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121434966625
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133021307296
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://download.yahoo.com/dl/installs/yab_af.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_25-windows-i586.cab
DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - hxxp://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - hxxp://entimg.msn.com/client/msnmusax3112.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\newuse~1\applic~1\mozilla\firefox\profiles\j3snxtxy.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 3574
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\new user\local settings\application data\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: e:\picasa3\npPicasa3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R? cpuz132;cpuz132
R? CWMonitor;Symantec Crimeware Protection Driver
R? MpKsl17661466;MpKsl17661466
R? MpKsl58685dde;MpKsl58685dde
R? MpKsla74803d6;MpKsla74803d6
R? MpKslb902af06;MpKslb902af06
S? AVP;Kaspersky Anti-Virus Service
S? IS360service;IS360service
S? kl1;kl1
S? kl2;kl2
S? klbg;Kaspersky Lab Boot Guard Driver
S? KLIF;Kaspersky Lab Driver
S? klim5;Kaspersky Anti-Virus NDIS Filter
S? klmouflt;Kaspersky Lab KLMOUFLT
S? MpFilter;Microsoft Malware Protection Driver
S? MpKsl04cfdefc;MpKsl04cfdefc
S? MpKsl30825509;MpKsl30825509
S? MpKsl63ec2a1c;MpKsl63ec2a1c
S? MpKsl7f62e618;MpKsl7f62e618
S? MpKsl8dae4a31;MpKsl8dae4a31
S? MpKsla9633fbb;MpKsla9633fbb
S? MpKslb2133593;MpKslb2133593
S? MpKslc5923512;MpKslc5923512
S? MpKslcd68e74b;MpKslcd68e74b
S? nlsX86cc;Nalpeiron Licensing Service
S? pbfilter;pbfilter
.
=============== Created Last 30 ================
.
2011-05-08 17:11:22 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{62cf2303-e223-48e0-9c7a-14aa2419f23d}\MpKsl63ec2a1c.sys
2011-05-08 16:10:30 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{62cf2303-e223-48e0-9c7a-14aa2419f23d}\MpKslc5923512.sys
2011-05-08 13:41:34 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{62cf2303-e223-48e0-9c7a-14aa2419f23d}\MpKsla9633fbb.sys
2011-05-08 03:34:03 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{62cf2303-e223-48e0-9c7a-14aa2419f23d}\MpKslb2133593.sys
2011-05-07 12:32:44 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{62cf2303-e223-48e0-9c7a-14aa2419f23d}\MpKslcd68e74b.sys
2011-05-06 06:02:54 -------- d-----w- c:\docume~1\newuse~1\applic~1\IObit
2011-05-06 06:02:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\IObit
2011-05-06 06:01:03 -------- d-----w- c:\program files\IObit
2011-05-06 05:59:26 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{62cf2303-e223-48e0-9c7a-14aa2419f23d}\MpKsl04cfdefc.sys
2011-05-06 04:56:48 388096 ----a-r- c:\docume~1\newuse~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-06 04:56:45 -------- d-----w- c:\program files\Trend Micro
2011-05-06 03:43:07 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{62cf2303-e223-48e0-9c7a-14aa2419f23d}\MpKsl7f62e618.sys
2011-05-06 03:40:47 0 ----a-w- c:\documents and settings\new user\ntuser.tmp
2011-05-06 03:11:09 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{62cf2303-e223-48e0-9c7a-14aa2419f23d}\MpKsl30825509.sys
2011-05-06 02:21:51 -------- d-sha-r- C:\cmdcons
2011-05-06 01:28:30 89088 ----a-w- c:\windows\MBR.exe
2011-05-06 01:28:30 256512 ----a-w- c:\windows\PEV.exe
2011-05-06 01:28:30 161792 ----a-w- c:\windows\SWREG.exe
2011-05-06 01:28:29 98816 ----a-w- c:\windows\sed.exe
2011-05-06 01:26:53 -------- d-----w- C:\ComboFix
2011-05-05 14:49:23 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-05 14:49:23 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-05 14:45:41 -------- d-----w- c:\program files\iPod
2011-05-05 14:45:31 -------- d-----w- c:\program files\iTunes
2011-05-05 14:45:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-05 14:35:03 -------- d-----w- c:\program files\Bonjour
2011-05-04 11:33:45 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{62cf2303-e223-48e0-9c7a-14aa2419f23d}\MpKsl8dae4a31.sys
2011-05-04 11:32:44 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{62cf2303-e223-48e0-9c7a-14aa2419f23d}\mpengine.dll
2011-04-30 15:32:20 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-30 15:32:18 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-30 15:32:17 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-30 15:32:17 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-30 15:32:17 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-30 15:32:17 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-30 15:32:16 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-30 15:32:16 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-24 02:17:13 -------- d-----w- c:\docume~1\newuse~1\locals~1\applic~1\Western Digital
2011-04-23 17:22:16 -------- d-----w- c:\program files\Kaspersky Lab
2011-04-23 17:22:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2011-04-23 17:18:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2011-04-22 10:33:29 -------- d-----w- c:\docume~1\newuse~1\applic~1\Malwarebytes
2011-04-22 10:33:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-22 10:33:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-22 10:33:07 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-22 10:33:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 01:12:23 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-22 01:12:23 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
.
==================== Find3M ====================
.
2011-04-14 09:07:59 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 06:40:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20:16 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST340016A rev.3.10 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x873574F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8735d7d0]; MOV EAX, [0x8735d84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8737AAB8]
3 CLASSPNP[0xF74EFFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000063[0x8737CEB0]
5 ACPI[0xF7466620] -> nt!IofCallDriver[0x804E37D5] -> [0x873DE940]
\Driver\atapi[0x873CCB08] -> IRP_MJ_CREATE -> 0x873574F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8735733B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 22:35:15.69 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 10 May 2011 - 06:28 AM

:welcome: to BC!

Your right this infection can be tricky to remove sometimes

Step 1.
TDSSKiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2.
ComboFix:

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Step 3.
Things I would like to see in your reply:

  • The content of the log fro TDSSKiller in step 1.
  • The content of C:\ComboFix.txt from step 2.
  • Information on how your computer is running after those steps, any redirects now?

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 jleebee

jleebee
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 10 May 2011 - 08:48 AM

dear heir,

thank you ever so kindly for your timely response, again i fully appreciate your existence....

after i ran TDSSKiller i got a bunch of security warnings for the Alureon (sp) virus... windows security said it was treated.

also when i wanted to run combofix i turned off all anti-virus and what not, but could not figure out how to shut down windows security, so i killed the process in task manager... i hope that was okay..


i think the redirect is okay, for now at least, it has gone away in the past after the removal of things.. it also seems as if i can download and install updates from microsoft... now if it could stay this way and my sound would come back, that would be awesome....






2011/05/10 08:38:56.0112 103076 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/10 08:38:56.0925 103076 ================================================================================
2011/05/10 08:38:56.0925 103076 SystemInfo:
2011/05/10 08:38:56.0925 103076
2011/05/10 08:38:56.0925 103076 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/10 08:38:56.0925 103076 Product type: Workstation
2011/05/10 08:38:56.0925 103076 ComputerName: JESSICALEE
2011/05/10 08:38:56.0925 103076 UserName: New User
2011/05/10 08:38:56.0925 103076 Windows directory: C:\WINDOWS
2011/05/10 08:38:56.0925 103076 System windows directory: C:\WINDOWS
2011/05/10 08:38:56.0925 103076 Processor architecture: Intel x86
2011/05/10 08:38:56.0925 103076 Number of processors: 1
2011/05/10 08:38:56.0925 103076 Page size: 0x1000
2011/05/10 08:38:56.0925 103076 Boot type: Normal boot
2011/05/10 08:38:56.0925 103076 ================================================================================
2011/05/10 08:39:01.0409 103076 Initialize success
2011/05/10 08:39:04.0081 105324 ================================================================================
2011/05/10 08:39:04.0081 105324 Scan started
2011/05/10 08:39:04.0081 105324 Mode: Manual;
2011/05/10 08:39:04.0081 105324 ================================================================================
2011/05/10 08:39:08.0284 105324 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/10 08:39:08.0425 105324 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/10 08:39:08.0878 105324 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/10 08:39:09.0034 105324 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/10 08:39:09.0347 105324 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/10 08:39:09.0987 105324 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/10 08:39:10.0081 105324 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/10 08:39:10.0284 105324 ati2mtaa (2d030c2f6b036ca0bc243e1b16d924d1) C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys
2011/05/10 08:39:10.0565 105324 ati2mtag (492bd2a5f65f218d4ede5764a3bb67e9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/10 08:39:10.0784 105324 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/10 08:39:10.0940 105324 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/10 08:39:11.0050 105324 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/10 08:39:11.0237 105324 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/10 08:39:11.0331 105324 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/10 08:39:11.0534 105324 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/10 08:39:11.0862 105324 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/10 08:39:12.0018 105324 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/10 08:39:12.0565 105324 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
2011/05/10 08:39:12.0987 105324 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/10 08:39:13.0112 105324 DM9102 (51ef6ca3d57055fed6ab99021d562443) C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS
2011/05/10 08:39:13.0237 105324 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/10 08:39:13.0503 105324 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/10 08:39:13.0581 105324 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/10 08:39:13.0800 105324 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/10 08:39:14.0003 105324 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/10 08:39:14.0206 105324 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
2011/05/10 08:39:14.0409 105324 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
2011/05/10 08:39:14.0675 105324 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/10 08:39:14.0831 105324 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/10 08:39:14.0987 105324 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/10 08:39:15.0081 105324 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/10 08:39:15.0190 105324 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/10 08:39:15.0331 105324 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/10 08:39:15.0581 105324 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/10 08:39:15.0956 105324 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/05/10 08:39:16.0065 105324 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/10 08:39:16.0175 105324 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/10 08:39:16.0284 105324 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/10 08:39:16.0550 105324 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2011/05/10 08:39:16.0706 105324 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2011/05/10 08:39:16.0972 105324 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/10 08:39:17.0237 105324 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/10 08:39:17.0440 105324 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/10 08:39:17.0675 105324 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/10 08:39:17.0800 105324 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/10 08:39:17.0925 105324 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/10 08:39:18.0034 105324 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/10 08:39:18.0159 105324 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/10 08:39:18.0284 105324 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/10 08:39:18.0409 105324 IPVNMon (46723535d730918adb1887c7c69dbd75) C:\WINDOWS\system32\drivers\IPVNMon.sys
2011/05/10 08:39:18.0534 105324 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/10 08:39:18.0659 105324 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2011/05/10 08:39:18.0847 105324 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/10 08:39:18.0972 105324 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/10 08:39:19.0065 105324 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/10 08:39:19.0175 105324 kl1 (94d67d49bd9503bb1d838405d80f2058) C:\WINDOWS\system32\drivers\kl1.sys
2011/05/10 08:39:19.0253 105324 kl2 (713576569667ac9e0f8556076004a96b) C:\WINDOWS\system32\DRIVERS\kl2.sys
2011/05/10 08:39:19.0425 105324 klbg (1fdd35aa7efaeb283198a3b14800f37e) C:\WINDOWS\system32\drivers\klbg.sys
2011/05/10 08:39:19.0581 105324 KLIF (44ec6b3dbe167c7fa818f9918d2cbf22) C:\WINDOWS\system32\DRIVERS\klif.sys
2011/05/10 08:39:19.0800 105324 klim5 (cd16a39c6f61c2ae0272e1f431353bf7) C:\WINDOWS\system32\DRIVERS\klim5.sys
2011/05/10 08:39:19.0893 105324 klmouflt (3959530f69e19da56f1f24f2c89f1e2c) C:\WINDOWS\system32\DRIVERS\klmouflt.sys
2011/05/10 08:39:20.0034 105324 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/10 08:39:20.0143 105324 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/10 08:39:20.0456 105324 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/05/10 08:39:20.0565 105324 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/10 08:39:20.0706 105324 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/10 08:39:20.0831 105324 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/10 08:39:20.0956 105324 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/10 08:39:21.0065 105324 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/10 08:39:21.0175 105324 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/05/10 08:39:21.0425 105324 MpKsl04cfdefc (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl04cfdefc.sys
2011/05/10 08:39:21.0706 105324 MpKsl30825509 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl30825509.sys
2011/05/10 08:39:22.0050 105324 MpKsl63ec2a1c (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl63ec2a1c.sys
2011/05/10 08:39:22.0722 105324 MpKsl7f62e618 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl7f62e618.sys
2011/05/10 08:39:22.0972 105324 MpKsl8dae4a31 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl8dae4a31.sys
2011/05/10 08:39:23.0143 105324 MpKsla9633fbb (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsla9633fbb.sys
2011/05/10 08:39:23.0378 105324 MpKslb2133593 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKslb2133593.sys
2011/05/10 08:39:23.0925 105324 MpKslc5923512 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKslc5923512.sys
2011/05/10 08:39:24.0175 105324 MpKslcd68e74b (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKslcd68e74b.sys
2011/05/10 08:39:24.0425 105324 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/10 08:39:24.0643 105324 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/10 08:39:24.0831 105324 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/10 08:39:24.0987 105324 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/10 08:39:25.0081 105324 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/10 08:39:25.0190 105324 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/10 08:39:25.0331 105324 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/10 08:39:25.0456 105324 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/10 08:39:25.0597 105324 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/10 08:39:25.0722 105324 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/10 08:39:25.0940 105324 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/10 08:39:26.0065 105324 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/10 08:39:26.0159 105324 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/10 08:39:26.0237 105324 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/10 08:39:26.0347 105324 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/10 08:39:26.0472 105324 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/10 08:39:26.0612 105324 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/10 08:39:26.0722 105324 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/10 08:39:27.0003 105324 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/10 08:39:27.0175 105324 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/10 08:39:27.0393 105324 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/10 08:39:27.0534 105324 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/10 08:39:27.0675 105324 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/10 08:39:27.0878 105324 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/10 08:39:28.0081 105324 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/10 08:39:28.0222 105324 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/10 08:39:28.0393 105324 pbfilter (61a5701e3f543861b21bbe0932c4cc03) C:\Program Files\PeerBlock\pbfilter.sys
2011/05/10 08:39:28.0550 105324 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/10 08:39:28.0847 105324 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/10 08:39:29.0440 105324 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/10 08:39:29.0534 105324 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/05/10 08:39:29.0643 105324 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/10 08:39:29.0753 105324 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/10 08:39:29.0862 105324 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/05/10 08:39:30.0315 105324 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/10 08:39:30.0503 105324 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/05/10 08:39:30.0597 105324 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/10 08:39:30.0737 105324 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/10 08:39:30.0847 105324 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/10 08:39:31.0003 105324 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/10 08:39:31.0081 105324 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/10 08:39:31.0206 105324 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/10 08:39:31.0362 105324 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/10 08:39:31.0597 105324 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/10 08:39:31.0722 105324 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/10 08:39:31.0831 105324 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/10 08:39:32.0003 105324 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/10 08:39:32.0159 105324 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
2011/05/10 08:39:32.0378 105324 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/10 08:39:32.0550 105324 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/10 08:39:32.0722 105324 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/10 08:39:32.0862 105324 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/10 08:39:33.0050 105324 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/10 08:39:33.0175 105324 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/10 08:39:33.0331 105324 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/10 08:39:34.0050 105324 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/10 08:39:34.0190 105324 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/10 08:39:34.0331 105324 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/10 08:39:34.0440 105324 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/10 08:39:34.0565 105324 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/10 08:39:34.0690 105324 tmcomm (4dc436421c9d745d7e8c37f956701c78) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/05/10 08:39:34.0878 105324 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/10 08:39:35.0112 105324 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/10 08:39:35.0393 105324 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/10 08:39:35.0487 105324 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/10 08:39:35.0612 105324 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/10 08:39:35.0690 105324 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/10 08:39:35.0878 105324 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/10 08:39:36.0097 105324 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/10 08:39:36.0268 105324 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/10 08:39:36.0456 105324 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/10 08:39:37.0206 105324 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/10 08:39:37.0706 105324 VX3000 (45798ec03c6aeb45aa2f2084f7842f6c) C:\WINDOWS\system32\DRIVERS\VX3000.sys
2011/05/10 08:39:38.0315 105324 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/10 08:39:38.0550 105324 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/10 08:39:38.0753 105324 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2011/05/10 08:39:39.0143 105324 WpdUsb (1385e5aa9c9821790d33a9563b8d2dd0) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/05/10 08:39:39.0237 105324 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/10 08:39:39.0347 105324 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/10 08:39:39.0503 105324 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/10 08:39:39.0550 105324 ================================================================================
2011/05/10 08:39:39.0550 105324 Scan finished
2011/05/10 08:39:39.0550 105324 ================================================================================
2011/05/10 08:39:39.0597 105648 Detected object count: 1
2011/05/10 08:39:49.0565 105648 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/10 08:39:49.0565 105648 \HardDisk0 - ok
2011/05/10 08:39:49.0565 105648 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/05/10 08:40:25.0097 105404 Deinitialize success


-------------------------------------------------------


ComboFix 11-05-09.02 - New User 05/10/2011 9:13.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.572 [GMT -4:00]
Running from: c:\combofix\ComboFix.exe
Command switches used :: ComboFix
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))
.
.
2011-05-10 12:45 . 2011-05-10 12:45 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKslc1ccc056.sys
2011-05-08 17:11 . 2011-05-08 17:11 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl63ec2a1c.sys
2011-05-08 16:10 . 2011-05-08 16:10 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKslc5923512.sys
2011-05-08 13:41 . 2011-05-08 13:41 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsla9633fbb.sys
2011-05-08 03:34 . 2011-05-08 03:34 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKslb2133593.sys
2011-05-07 12:32 . 2011-05-07 12:32 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKslcd68e74b.sys
2011-05-06 06:02 . 2011-05-06 06:02 -------- d-----w- c:\documents and settings\New User\Application Data\IObit
2011-05-06 06:02 . 2011-05-06 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-05-06 06:01 . 2011-05-06 06:01 -------- d-----w- c:\program files\IObit
2011-05-06 05:59 . 2011-05-06 05:59 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl04cfdefc.sys
2011-05-06 04:56 . 2011-05-06 04:56 388096 ----a-r- c:\documents and settings\New User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-06 04:56 . 2011-05-06 04:56 -------- d-----w- c:\program files\Trend Micro
2011-05-06 03:53 . 2011-05-06 03:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-06 03:43 . 2011-05-06 03:43 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl7f62e618.sys
2011-05-06 03:40 . 2011-05-10 12:43 0 ----a-w- c:\documents and settings\New User\ntuser.tmp
2011-05-06 03:11 . 2011-05-06 03:11 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl30825509.sys
2011-05-05 14:49 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-05 14:49 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-05 14:45 . 2011-05-05 14:45 -------- d-----w- c:\program files\iPod
2011-05-05 14:45 . 2011-05-05 14:48 -------- d-----w- c:\program files\iTunes
2011-05-05 14:45 . 2011-05-05 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-05 14:35 . 2011-05-05 14:35 -------- d-----w- c:\program files\Bonjour
2011-05-04 11:33 . 2011-05-04 11:33 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl8dae4a31.sys
2011-05-04 11:32 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\mpengine.dll
2011-04-30 15:32 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-30 15:32 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-30 15:32 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-30 15:32 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-30 15:32 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-30 15:32 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-30 15:32 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-30 15:32 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-24 02:17 . 2011-04-24 02:17 -------- d-----w- c:\documents and settings\New User\Local Settings\Application Data\Western Digital
2011-04-23 17:22 . 2011-04-23 17:22 -------- d-----w- c:\program files\Kaspersky Lab
2011-04-23 17:22 . 2011-05-10 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2011-04-23 17:18 . 2011-04-23 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2011-04-22 10:33 . 2011-04-22 10:33 -------- d-----w- c:\documents and settings\New User\Application Data\Malwarebytes
2011-04-22 10:33 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-22 10:33 . 2011-04-22 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-22 10:33 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-22 10:33 . 2011-04-22 10:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 01:12 . 2011-05-08 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-22 01:12 . 2011-04-23 13:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-22 00:18 . 2011-04-22 00:19 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 09:07 . 2010-06-09 13:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 06:40 . 2007-09-26 21:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-11 07:04 . 2010-12-18 16:52 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2005-07-15 04:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-04-15 11:33 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-04-14 16:26 . 2011-04-30 15:32 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2008-01-22 152872]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-11-03 365336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-11 1280344]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-01-07 253672]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 21:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-05 19:57 133104 ----atw- c:\documents and settings\New User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-05-28 12:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2006-10-13 22:04 707376 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Mozilla Firefox 4.0 Beta 12\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop Lightroom 3.2\\lightroom.exe"=
"c:\\Program Files\\Microsoft Silverlight\\4.0.60129.0\\Silverlight.Configuration.exe"=
"c:\\Documents and Settings\\New User\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 32784]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]
R1 MpKsl04cfdefc;MpKsl04cfdefc;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl04cfdefc.sys [5/6/2011 1:59 AM 28752]
R1 MpKsl30825509;MpKsl30825509;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl30825509.sys [5/5/2011 11:11 PM 28752]
R1 MpKsl63ec2a1c;MpKsl63ec2a1c;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl63ec2a1c.sys [5/8/2011 1:11 PM 28752]
R1 MpKsl7f62e618;MpKsl7f62e618;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl7f62e618.sys [5/5/2011 11:43 PM 28752]
R1 MpKsl8dae4a31;MpKsl8dae4a31;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsl8dae4a31.sys [5/4/2011 7:33 AM 28752]
R1 MpKsla9633fbb;MpKsla9633fbb;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKsla9633fbb.sys [5/8/2011 9:41 AM 28752]
R1 MpKslb2133593;MpKslb2133593;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKslb2133593.sys [5/7/2011 11:34 PM 28752]
R1 MpKslc1ccc056;MpKslc1ccc056;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKslc1ccc056.sys [5/10/2011 8:45 AM 28752]
R1 MpKslc5923512;MpKslc5923512;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKslc5923512.sys [5/8/2011 12:10 PM 28752]
R1 MpKslcd68e74b;MpKslcd68e74b;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{62CF2303-E223-48E0-9C7A-14AA2419F23D}\MpKslcd68e74b.sys [5/7/2011 8:32 AM 28752]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [4/28/2010 4:56 PM 63488]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [12/13/2007 2:28 PM 24592]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]
S1 MpKsl17661466;MpKsl17661466;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsl17661466.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsl17661466.sys [?]
S1 MpKsl58685dde;MpKsl58685dde;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsl58685dde.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsl58685dde.sys [?]
S1 MpKsla74803d6;MpKsla74803d6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsla74803d6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsla74803d6.sys [?]
S1 MpKslb902af06;MpKslb902af06;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKslb902af06.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKslb902af06.sys [?]
S2 CWMonitor;Symantec Crimeware Protection Driver;\??\c:\program files\Common Files\Symantec Shared\coShared\CW\1.0\Monitor.sys --> c:\program files\Common Files\Symantec Shared\coShared\CW\1.0\Monitor.sys [?]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [5/6/2011 2:02 AM 312152]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLC1CCC056
*Deregistered* - IPVNMon
*Deregistered* - pbfilter
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1801674531-682003330-1004Core.job
- c:\documents and settings\New User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 19:57]
.
2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1801674531-682003330-1004UA.job
- c:\documents and settings\New User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 19:57]
.
2011-05-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyServer = http=localhost:3574
uInternet Settings,ProxyOverride = cgi*.ebay.com;disney.go.com;msa_e1.ebay.com;rhapsody_app*.listen.com;<local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\New User\Application Data\Mozilla\Firefox\Profiles\j3snxtxy.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 3574
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-10 09:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-1801674531-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-10 09:32:41
ComboFix-quarantined-files.txt 2011-05-10 13:32
ComboFix2.txt 2011-05-06 04:00
.
Pre-Run: 19,396,452,352 bytes free
Post-Run: 19,379,580,928 bytes free
.
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - BAB7329DD186C1A9D66FD1DC7B2791F9

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 10 May 2011 - 09:20 AM

Something I should point out, regarding CCleaner,Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of the Experts miekiemoes has an excellent writeup here
Another excellent article by Bill Castner is located here.


AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove Microsoft Security Essentials as Kaspersky is bundled with the FW.



it also seems as if i can download and install updates from microsoft.

Don't do this until we are done removing malware here.


Step 1.
Uninstall unwanted software:

Please go to Start > Control Panel > Add/Remove Programs and remove the following:

µTorrent
CCleaner
IObit Security 360
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
SoulSeek 157 NS 13e



Optional removals
µTorrent, SoulSeek and P2P programs in general are legal themselves, but much of the content downloaded with them is downloaded illegally. They are also a great way to infect yourself with malware.
CCleaner <<< --- Registry cleaner
IObit Security 360 Due to this I would advise you to ´remove it
It's up to you if you want to remove the above programs, however I recommend you do.

Step 2.
CFSCript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
"c:\\Program Files\\SoulseekNS\\slsk.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 3.
MBAM:

  • Launch Malwarebytes' Anti-Malware.
  • Update Malwarebytes' Anti-Malware.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 4.
Things I would like to see in your reply:

  • Which softwares were uninstalled.
  • The content of C:\ComboFix.txt from step 2.
  • The content of the log from MBAM in step 3.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 jleebee

jleebee
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 10 May 2011 - 12:02 PM

it also seems as if i can download and install updates from microsoft.
Don't do this until we are done removing malware here.


unfortunately i already did. i am so sorry. i will push no more buttons until you tell me to.

thank you for the link, i have lots of reading to do here, thank you all again for such a great community of people willing to help the inept :)





i uninstalled all of the programs on the list and restarted.



----------------------------------



ComboFix 11-05-09.03 - New User 05/10/2011 11:57:07.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.621 [GMT -4:00]
Running from: c:\documents and settings\New User\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-10 to 2011-05-10 )))))))))))))))))))))))))))))))
.
.
2011-05-10 13:45 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{40F76BE2-3AC2-487C-B8A3-95AFE5E6065F}\mpengine.dll
2011-05-06 06:02 . 2011-05-06 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-05-06 06:01 . 2011-05-06 06:01 -------- d-----w- c:\program files\IObit
2011-05-06 04:56 . 2011-05-06 04:56 388096 ----a-r- c:\documents and settings\New User\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-06 04:56 . 2011-05-06 04:56 -------- d-----w- c:\program files\Trend Micro
2011-05-06 03:53 . 2011-05-06 03:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-05 14:49 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-05-05 14:49 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2011-05-05 14:45 . 2011-05-05 14:45 -------- d-----w- c:\program files\iPod
2011-05-05 14:45 . 2011-05-05 14:48 -------- d-----w- c:\program files\iTunes
2011-05-05 14:45 . 2011-05-05 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-05 14:35 . 2011-05-05 14:35 -------- d-----w- c:\program files\Bonjour
2011-04-30 15:32 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-30 15:32 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-30 15:32 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-30 15:32 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-30 15:32 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-30 15:32 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-30 15:32 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-30 15:32 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-24 02:17 . 2011-04-24 02:17 -------- d-----w- c:\documents and settings\New User\Local Settings\Application Data\Western Digital
2011-04-23 17:22 . 2011-04-23 17:22 -------- d-----w- c:\program files\Kaspersky Lab
2011-04-23 17:22 . 2011-05-10 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2011-04-23 17:18 . 2011-04-23 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2011-04-22 10:33 . 2011-04-22 10:33 -------- d-----w- c:\documents and settings\New User\Application Data\Malwarebytes
2011-04-22 10:33 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-22 10:33 . 2011-04-22 10:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-22 10:33 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-22 10:33 . 2011-04-22 10:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-22 01:12 . 2011-05-08 17:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-04-22 01:12 . 2011-04-23 13:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-22 00:18 . 2011-04-22 00:19 -------- d-----w- c:\documents and settings\Administrator
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-14 09:07 . 2010-06-09 13:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-14 06:40 . 2007-09-26 21:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-04-11 07:04 . 2010-12-18 16:52 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 20:20 . 2011-04-06 20:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2005-07-15 04:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-04 12:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:18 . 2004-08-04 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2009-04-15 11:33 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-04-14 16:26 . 2011-04-30 15:32 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="1" [X]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2008-01-22 152872]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 1867888]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-11-03 365336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-01-02 21:41 45056 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-05 19:57 133104 ----atw- c:\documents and settings\New User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-05-28 12:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
2006-10-13 22:04 707376 ----a-w- c:\windows\vVX3000.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPAGER.EXE"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox 4.0 Beta 12\\firefox.exe"=
"c:\\Program Files\\Adobe\\Adobe Photoshop Lightroom 3.2\\lightroom.exe"=
"c:\\Documents and Settings\\New User\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 32784]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [6/9/2010 4:43 PM 11352]
R2 nlsX86cc;Nalpeiron Licensing Service;c:\windows\system32\nlssrv32.exe [4/28/2010 4:56 PM 63488]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [12/13/2007 2:28 PM 24592]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [11/2/2009 7:27 PM 19472]
S1 MpKsl17661466;MpKsl17661466;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsl17661466.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsl17661466.sys [?]
S1 MpKsl58685dde;MpKsl58685dde;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsl58685dde.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsl58685dde.sys [?]
S1 MpKsla74803d6;MpKsla74803d6;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsla74803d6.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKsla74803d6.sys [?]
S1 MpKslb902af06;MpKslb902af06;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKslb902af06.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF871F28-4433-48FD-AF9A-BED65E42CFF2}\MpKslb902af06.sys [?]
S2 CWMonitor;Symantec Crimeware Protection Driver;\??\c:\program files\Common Files\Symantec Shared\coShared\CW\1.0\Monitor.sys --> c:\program files\Common Files\Symantec Shared\coShared\CW\1.0\Monitor.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1801674531-682003330-1004Core.job
- c:\documents and settings\New User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 19:57]
.
2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1935655697-1801674531-682003330-1004UA.job
- c:\documents and settings\New User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 19:57]
.
2011-05-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://yahoo.sbc.com/dsl
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyServer = http=localhost:3574
uInternet Settings,ProxyOverride = cgi*.ebay.com;disney.go.com;msa_e1.ebay.com;rhapsody_app*.listen.com;<local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Yahoo! Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\New User\Application Data\Mozilla\Firefox\Profiles\j3snxtxy.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 3574
FF - prefs.js: network.proxy.type - 4
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-10 12:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1935655697-1801674531-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(784)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-10 12:12:56
ComboFix-quarantined-files.txt 2011-05-10 16:12
ComboFix2.txt 2011-05-10 13:32
ComboFix3.txt 2011-05-06 04:00
.
Pre-Run: 20,059,086,848 bytes free
Post-Run: 20,041,838,592 bytes free
.
Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 72D24D4C45DCB9997563D4ED0765A00A






--------------------------------------------




Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6517

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

5/10/2011 12:18:59 PM
mbam-log-2011-05-10 (12-18-59).txt

Scan type: Quick scan
Objects scanned: 159498
Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 jleebee

jleebee
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 10 May 2011 - 12:09 PM

* am not seeming to be redirected, but having pop-ups open in new window, which has not happened before.

#7 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 10 May 2011 - 12:38 PM

AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

As stated before please remember that only one can be set as real-time protection.

Looking good.

Let's do a scan for leftovers as well.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#8 jleebee

jleebee
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:08:54 AM

Posted 10 May 2011 - 06:11 PM

As stated before please remember that only one can be set as real-time protection.

.. i am not running them both at once, i only dl'd kaspersky in hopes that it would have helped... but.......

thank you again...
heres the log.







ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=e9710082459e3d4ea19eafdc77b7fde7
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-10 10:16:08
# local_time=2011-05-10 06:16:08 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=1281 16774566 100 0 0 0 83284630 0
# compatibility_mode=1536 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 16164829 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=122197
# found=0
# cleaned=0
# scan_time=5805

#9 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 11 May 2011 - 02:21 AM

.. i am not running them both at once, i only dl'd kaspersky in hopes that it would have helped... but.......

The please remove one of them.


Hey there, jleebee !

OK! Well done, your log is clean again! :thumbsup:

Time for some housekeeping.

Step 1.
Clean up:

We need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

First:
  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    Posted Image

Second:
  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Now delete any tools/logs that is left over after you ran OTC.


Step 2.
Prevention:

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

First:
Your Adobe Acrobat Reader is out of date. Older versions are vulnerable to attack.

Please go to the link below to download an update.

http://www.adobe.com/products/acrobat/readstep2.html

Remove the older versions and install the latest,


Second:
One of the essentials is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vulnerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the Internet.
  • Click Apply then OK.


Third:
Now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
.
Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.


Fourth:
Next lets look at Firewalls. These help to prevent unauthorized access both to and from the Internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls
Fifth:
On to personal Anti Virus programs.

One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs
Sixth:
Nearly done! If you like to use chat, MSN and Yahoo have vulnerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers
Lastly:
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.


I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#10 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 PM

Posted 16 May 2011 - 07:57 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users